Read of my efforts to be an exemplary class rep. in the Elvey v. TD Ameritrade pump-n-dump spam and Identity Theft litigation. (I discovered the information security breach by which the Social Security Numbers of all 6.3 million AMTD customers were compromised and proved that known criminals had gained access to the database they were in. )

December 10, 2010

Third Proposed Settlement up for Preliminary Approval. I oppose. (Modified 1/1/11, 1/25/11)

NEW: You can review and comment on the key documents, which I’ve posted in editable wiki form at http://caringaboutsecurity.wikispaces.com! Cool, huh?(I’ve not posted the less important documents to the wiki. Just exhibits A, F, and G for now.) Please take a look and provide feedback.

On December 9, 2010, I filed and argued in court against the motion for preliminary approval:

Elvey_Response_to_Kreinder-TDA_offer.pdf describing our concerns. I’d highlight them thusly: We pushed for an effective audit. This settlement proposal notice is misleading and poorly publicized, and so cannot be fair. It has an audit component that to the untrained or hasty eye is meaningful compensation, but to the security expert or careful reader is security theatre that “does not require Ameritrade to adopt any new permanent security measures to remedy the problems giving rise to the lawsuit, or even to reveal what those security problems were and how it has fixed them.”

I also filed and argued for a motion to unseal the secret deposition:

Motion_to_Unseal.pdf. I had to rush to get these out; the hearing was originally scheduled for December 23rd.

If I’d had more time, I’d have presented this argument for the motion to unseal: Essentially, there’s a major inconsistency with respect to the risk of ID theft. Based on the information provided to me by the whistleblower, I believe that a claim that TD Ameritrade has found no evidence linking the data breach to identity theft attempts is untrue. And yet, the settlement states “TD Ameritrade has no evidence linking the data breach to instances of identity theft”. So I conclude that either the settlement is inconsistent with the deposition, or the deposition contains untrue or highly misleading statements that have induced the attorneys working on behalf of the class to agree to a settlement that misleads the class as to the nature of the risk of identity theft. They don’t have the whistleblower’s information, or the deposition. I also would have argued that proposed class reps and counsel should receive a copy of all reports from security firms ID Analytics and Mandiant. The whistleblower has made it very clear that TD Ameritrade does not have evidence that the hackers never took social security numbers.

In court, Judge Walker asked me if I was aware that I could opt out. Of course I am, but I wish I’d added that I spoke in court because I filed my motion and fight this case on behalf of the class, and take my duty to represent that class seriously; whether the court has recognized the class yet, or me as its rep, that is still my legal obligation.

Originally Published on: Nov 18, 2010:

These filings are in response to the latest proposed settlement up for preliminary approval,

Unfortunately, the settlement papers were not properly filed, so I do not have proper (searchable) PDFs, but I am pushing to have this rectified (don’t hold your breath though).

229.CERTIFICATE_OF_SERVICE.pdf is unimportant; it’s apropos Bob Kriss, apparently a luddite attorney representing TD Ameritrade who has email (“Robert J.Kriss” ) but is too clueless to get with the program and register properly for the Court’s ECF system, as is REQUIRED by General Order 45, which provides at Section IV (A) that “Each attorney of record is obligated to become an ECF User and be assigned a user ID and password for access to the system upon designation of the action as being subject to ECF.”* and yet, amazingly, has represented some of the world’s largest technology companies!

*as quoted in Case 3:06-cv-02169-MHP Document 20.

Addendum

“News” coverage this time around is on a par with last time.

The AP’s Josh Funk mis-reported on the morning of November 16, 2010 that all class members could get at least $50! The story has since been quietly corrected. (Most class members would get $0.) The story still sometimesappears with the doubly-erroneous subtitle “New TD Ameritrade data theft settlement offers people $50-$2,500 for ID theft in 2007 breach”.

It seems Ameritrade’s PR has been working overtime, and there’s no bar low enough that they won’t step under it.

Sarah Pierce, a “reporter” for topclassactions.com mis-reported on November 25th: “Social Security Numbers, user names and passwords were not compromised, according to TD Ameritrade’s investigation into the matter.” This is simply false (where does this misinformation come from? Pre-written ‘news’ articles from Ameritrade’s PR, like the ? Social Security Numbers were compromised. I’ve detailed the evidence proving the utter falsehood of this claim that Ms Pierce has echoed, as has has the PRC. I’ve discussed this news problem here and in court filings, explaining why datalossdb and the PRC changed their tune, to correctly report that Social Security Numbers were compromised, according to TD Ameritrade’s own reports. Ms Pierce also mis-reports: “A final approval hearing on the new Ameritrade Data Breach Class Action Lawsuit Settlement will be held December 23.” This is not true either; no hearing date has been set for a final approval hearing; the settlement hasn’t even been preliminarily approved; the judge is considering whether to do so.

NEW: AlertBoot’s Sang Lee mis-reported that clients only had their “immaterial” personal information, namely e-mail addresses, stolen! Sang Lee reinforces the point I made to Judge Walker last week (as exemplified by docket entries 110, 112, 116, 117, 161, and 178): readers are routinely misled by the proposed notice into thinking that just addresses were stolen, not only by being another glowing example, but also by highlighting the difference in severity between an SSN compromise and an email address compromise; Judge Walker’s comment in court was ‘same difference’, or something to that effect.

It’s interesting to compare this proposed settlement to the settlement disclosed at www.dadsettlement.com. The latter seems to provide class members with a much better deal: There’s no per-class-member cap on claimed damages, and every class member is offered years of credit monitoring protection.

NEW: Eric Goldman’s very popular Technology & Marketing Law Blog has also mis-reported the minimum class member compensation as $50 instead of $0. It has issued a couple corrections and clarifications to its interesting, unique article on this settlement proposal. It’s even more interesting with the corrections, and will get even more interesting than that when (or if) class counsel responds to his inquiry.Class counsel has become unresponsive again; I’ve twice sent the same follow-up email regarding my complaint that the Claim Forms (online and for paper-filing) were not made available until well after the notices had been sent out, (and the latter is STILL not available, which are a superbly evil way to BOTH decrease payouts to the class, AND increase payouts to class counsel). I have received no response!

NEW: The Privacy Rights Clearinghouse has also mis-reported the minimum class member compensation as $50 instead of $0; correction is in process.

NEW: I think the main improvement is that now at least some class members get a major benefit. Unfortunately, it’s only a tiny fraction who will get any money. The main hurdles are:

Learn of the settlement (most members will not learn of it, as the only MOST likely way they’ll learn of it is an email to an email address that’s years old and will probably go into spam folders), and then understand it (the 3 notices and claim form are long and complicated).

Be eligible for compensation. If you’ve not been an Identity Theft victim, you get $0.

Take the time and have the skill to understand the need for, and do the research to request, create or find the particular evidence paperwork required to apply successfully for the most compensation.

Under the previous settlement, to which I objected, at least all class members were well-notified of, eligible for and could fairly easily apply for the main benefit – the Trend Micro security suite.

Here’s how the settlement works:

If you’ve been an Identity Theft victim, and the only identity theft you experienced involved an Existing Credit or Debit Card Account, you may recover $50 if you correctly provide the required information described on a complicated form, and obtain and provide copies of the documentation it requires.

If you’ve been an Identity Theft victim, and the identity theft you experienced involved a New Account or an Existing Account other than an Existing Credit or Debit Card Account, you may recover up to $250 if you correctly provide the required information described on a complicated form, and obtain and provide copies of the documentation it requires, and may recover up to an additional $750 in out-of-pocket expenses, defined to include telephone charges, copying, postage charges or other charges incurred in closing or correcting an account that was opened or affected as a result of this kind of identity theft. (Identity theft monitoring and insurance and legal fees and lost wages are NOT on the list, which is copied from the Agreement.) Also, if as a result, you paid money that you didn’t really owe to creditors and you tried and failed to get them to waive the charges due to the ID theft, and you tried and failed to get them to refund the charges, you can apply to get up to $1500 of it back.

But, the standards do not require that TD Ameritrade ensure that default passwords on their servers not be left unchanged, that they perform penetration testing, or that they retain or monitor canaries placed in their user account database. I pushed to have the audit require these very reasonable steps, but it doesn’t. If TD Ameritrade fails to meet one or more of the standards, the agreement does not require that the Evaluator perform a second assessment after TD Ameritrade is given time to correct the non-compliance.

All the benefits of the old settlement are gone:

No free year of Trend Micro Internet Security Pro.

No site penetration testing. There is no assurance that existing custom applications will be tested. There is no assurance that even new custom applications will be tested! The settlement does nothing to forbid or prevent TD Ameritrade from reverting all the policy changes it makes or merely promises to make in order to be able to pass the audit as soon as it has been passed!!! There are at least a couple other gaping holes in the security compliance audit settlement component. I’d be ecstatic if the settlement provided for auditing if there weren’t gaping holes.

No account seeding with canaries.

No charitable donations to any of the charities previously identified and none are guaranteed to the new ones.

No $2.8 million to the plaintiffs’ attorneys. They get $500,000 (less any funds over $6,000,000 distributed to the class.) How it’s to be shared is not determined or disclosed.

No $10,000 for class representatives, like me. I discovered the information security breach by which the Social Security Numbers of 6.3 million Ameritrade customers were compromised and proved that known criminals had gained access to the database they were in, and used info stolen from the database to committ fraud. I also showed that Ameritrade covered up the breach by finding and reporting on the information I obtained from a whistleblower.

I get $0.

The standards do NOT require that TD Ameritrade change the passwords for or disable all default system accounts, or that ‘good’ passwords be used, though the latter is somewhat implied by the training. Given that there are public reports that TD Ameritrade has had problems in the past with having default passwords on important systems, this is a frightening fact.

The Server Safeguards only apply to “servers on which an external client connection terminates (“Connected Servers”)”, not to machines such as the database system that was compromised during the breach! Surely such systems should not be running software with well-known security flaws.

The auditor can’t predict the future; without predicting the future, it is impossible for an auditor to reliably determine whether, e.g., “4. TD Ameritrade will have policies controlling the storage, access and transport of customer information.” An auditor can evaluate whether TD Ameritrade has a policy. More importantly, an auditor can evaluate whether TD Ameritrade enforces a policy. How can an auditor meaningfully evaluate whether TD Ameritrade promises to have a policy?

An organization that is so inept that, 5 years after a catastrophic security breach, it invites public scrutiny of such poorly designed auditing procedures, is truly frightening. I wish I could say more about the frightening things I learned and concerns I raised while MJ Spero was managing the case.

I’d hate to be TD Ameritrade when its security is breached again because it failed to do these things I think an audit should ensure that it does.

What we had in the earlier settlement was ‘lipstick on a pig’. What we have now is a beautiful, shiny, black, armored Humvee containing the rotting corpse of a pig in a nice suit and lipstick.

Under the current settlement, about 0.01% of the class will receive compensation that I’d call within the bounds of fair, reasonable and adequate. The bulk of the class will receive less than nothing. The bulk of the class will have their rights taken away and in return receive news of an audit that actually provides layperson-convincing but malicious-expert-attracting security theatre instead of real security.

The legal basis for the case rests largely on the claim that Ameritrade’s privacy policy was deceptive, because they KNEW their security had an ongoing breach for 2 years and falsely advertised in their privacy policy during that 2 year period that they had good security. The case’s claim cannot be remedied by a settlement that itself is deceptive, becasue it deceives the class with respect to when the breach started, what the main resulting damage and risks are, and provides the false impression that it will ensure that the company has passed an audit verifying that TD Ameritrade now has good security. The audit is so full of holes it doesn’t provide any true reassurance about TD Ameritrade security. It’s as reassuring as the Michigan gun test (http://www.nytimes.com/1991/06/11/us/true-or-false-michigan-gun-test-is-easy-a-true.html. Note: I’m saying that they are both designed to be ineffective; I’m not taking any position on gun control).

I’ve learned that our legal system is sometimes no match for a powerful corporation with skilled PR and legal teams. There’s no doubt TD Ameritrade covered up the news of the breach and has largely been successful in keeping the bulk of its customer base uninformed of its transgressions.

Like this:

Related

I have filed a lawsuit Holland vs. Ameritrade for one trillion dollars in Sacramento Federal Court claiming their online trading is a corrupt gambling scheme (violating RICO, gambling, unfair practices, fraud, negligence, breach of duty) with Ameritrade using brokers and computers trading house accounts, with better info and access to markets. Plus, statistics show day and frequent traders (playing against Goldman Sachs, etc.’s PhD computer programs) lose 95% of the principle in less than one year.

Ameritrade and the industry knew what would happen with self directed traders before the first customer signed up, never mind after statistics of a couple of year showed the massive losses of clients.

I am seeking and willing to compensate a whistle blower who can testify (in affidavit form) to Ameritrades’ scheme and knowledge of harm to clients and undisclosed conflicts of interest as to their own house trading accounts.

I checked the “Notifiy me of follow up comments for contacting me. Please let me know how to e-mail you directly.

Its unfair that the court has denied you access to ECF (Electronic Court Filing). In my jurisdiction, pro se parties are routinely (but not automatically) given ECF access. I think a reasonable objection could be made along these lines: The bar is a government-sanctioned monopoly; it’s illegal to practice law without the ongoing assent of the bar. (All the judges themselves have joined the bar.) It’s an abuse of that monopoly power to grant legal rights only to the members of that monopoly.

Those are some strong charges you make. I’m curious as to what evidence and arguments you might have to support your case.
Can you provide links to or email copies of your key filings, such as your initial filing and the deposition of Lois Rosenbaum? It’s an interesting contrast that in my case, the court allowed documents containing PII (Personally Identifiable Information, namely TD Ameritrade customer Social Security Numbers) into the docket. When I brought the PII to the court’s attention, they left the documents in the docket, but removed the PII.

Lady Justice, where art thou? It seems that there are many judges who make up their mind about how they wish to rule, and then stretch their legal interpretations to fit the decision they’ve made. Reminds me of SCOTUS decisions like Bush v. Gore, where the justices voted along party lines, 5-4.

I assume you meant to say that some (large) portion of day and frequent traders lose 95% of their principal (not principle). There’s no guarantee of equal outcomes. Unequal income (even grossly unequal income) is not considered strong evidence of foul play, at least in most areas of the law.
Do you claim that the trades self-directed traders made led to these losses because humans can’t compete with machines, or that the execution of the trades was improper, or what? I believe that most mutual funds underperform the market, and I would be surprised if most day and frequent traders don’t also underperform the market.
I believe TD Ameritrade doesn’t have house trading accounts (and if they do, their shareholders would be mighty surprised), but TD Bank (which owns 39% of TD Ameritrade) does. Do you have evidence that TD Ameritrade indeed has house trading accounts?

I’m doubtful the whistle-blower who has helped me would have information to help you, but if any whistle-blowers do contact me about your case, I will put you in touch.

Matthew,
I was doing some research about Holland Vs TD Ameritrade and I ran into this . I have a problem too. I lost $120,000 because Ameritrade deliberately supplied wrong quotes. You can see my site at http://stockmarketloss.wordpress.com

[It’s funny when spammers don’t know English or how to use their tools; this is a good example. -Ed.]

I {don’t|do not} even know how I ended up here, but I thought this post was {good|great}. I {don’t|do not} know who you are but {definitely|certainly} {you are|you’re} going to a famous blogger if you {are not|aren’t} already ;) Cheers!…

Heya i am for the first time here. I found this board and I find It really useful & it helped me out much. I hope to give something back and help others like you aided me….